From 03ef74b503722f998e5279595ff36b07f51c2ead Mon Sep 17 00:00:00 2001
From: uchia6861-tech <uchia6861@gmail.com>
Date: Fri, 1 May 2026 23:28:21 +0100
Subject: [PATCH] fix: sanitize mime_type and filename to prevent HTTP header
 injection in resumable upload

Sanitize user-supplied mime_type and filename values before they are
interpolated into HTTP request headers in prepare_resumable_upload().

CR and LF characters in these values are stripped to prevent potential
HTTP header injection. Added a _sanitize_header_value() helper that
is applied to both the X-Goog-Upload-Header-Content-Type and
X-Goog-Upload-File-Name headers.
---
 google/genai/_extra_utils.py | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/google/genai/_extra_utils.py b/google/genai/_extra_utils.py
index 129c05f7d..014e29eb8 100644
--- a/google/genai/_extra_utils.py
+++ b/google/genai/_extra_utils.py
@@ -52,6 +52,11 @@
     McpClientSession = None
     McpTool = None
 
+def _sanitize_header_value(value: str) -> str:
+  """Strips CR and LF characters to prevent HTTP header injection."""
+  return value.replace('\r', '').replace('\n', '')
+
+
 _DEFAULT_MAX_REMOTE_CALLS_AFC = 10
 
 logger = logging.getLogger('google_genai.models')
@@ -659,7 +664,7 @@ def prepare_resumable_upload(
         'X-Goog-Upload-Protocol': 'resumable',
         'X-Goog-Upload-Command': 'start',
         'X-Goog-Upload-Header-Content-Length': f'{size_bytes}',
-        'X-Goog-Upload-Header-Content-Type': f'{mime_type}',
+        'X-Goog-Upload-Header-Content-Type': _sanitize_header_value(mime_type),
     }
   else:
     http_options = types.HttpOptions(
@@ -669,11 +674,11 @@ def prepare_resumable_upload(
             'X-Goog-Upload-Protocol': 'resumable',
             'X-Goog-Upload-Command': 'start',
             'X-Goog-Upload-Header-Content-Length': f'{size_bytes}',
-            'X-Goog-Upload-Header-Content-Type': f'{mime_type}',
+            'X-Goog-Upload-Header-Content-Type': _sanitize_header_value(mime_type),
         },
     )
   if isinstance(file, (str, os.PathLike)):
     if http_options.headers is None:
         http_options.headers = {}
-    http_options.headers['X-Goog-Upload-File-Name'] = os.path.basename(file)
+    http_options.headers['X-Goog-Upload-File-Name'] = _sanitize_header_value(os.path.basename(str(file)))
   return http_options, size_bytes, mime_type